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Abstract: Traversal time and hop count analysis (TTHCA) is a recent wormhole detection 
algorithm for mobile ad hoc networks (MANET) which provides enhanced detection 
performance against all wormhole attack variants and network types. TTHCA involves 
each node measuring the processing time of routing packets during the route discovery 
process and then delivering the measurements to the source node. In a participation mode 
(PM) wormhole where malicious nodes appear in the routing tables as legitimate nodes, the 
time measurements can potentially be altered so preventing TTHCA from successfully 
detecting the wormhole. This paper analyses the prevailing conditions for time tampering 
attacks to succeed for PM wormholes, before introducing an extension to the TTHCA 
detection algorithm called AT Vector which is designed to identify time tampering, while 
preserving low false positive rates. Simulation results confirm that the AT Vector extension 
is able to effectively detect time tampering attacks, thereby providing an important security 
enhancement to the TTHCA algorithm. 

Keywords: mobile networks; MANET; MANET security; routing security; wormhole 
attack; hop count; queuing delay; packet processing time; TTHCA; MHA 
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1. Introduction 

A Mobile ad hoc Network (MANET) is a self-configuring arrangement of wireless nodes which can 
communicate with each other without requiring core infrastructure such as routers and base stations. They 
can be deployed in a range of application domains including military communications, vehicular and 
sensor networks, and as an access mechanism to the Internet in scenarios where nodes are out-of -radio 
range, such as in underground transport systems. 

The open nature and absence of dedicated routers mean that MANETs are especially vulnerable to 
routing attacks [1,2] which can lead to severe disruption of network communications. The wormhole 
attack [3] is one of the most serious MANET routing threats since it is relatively easy to launch, 
difficult to detect and can yet cause significant communications disruption. A wormhole creates a 
fictive shortcut link in the network with the intention to attract data packets to traverse specific nodes. It 
involves two collaborating malicious nodes forwarding routing packets to each other. When a malicious 
node captures a routing packet, it is encapsulated within a new packet and tunnelled to the other wormhole 
node, which then extracts the routing packet before relaying it to its neighbours. As a consequence, 
malicious nodes can appear as neighbours despite being located several hops from each other. 

Wormhole attacks can be launched in two ways: hidden mode (HM) and participation mode (PM) [4]. 
The former captures and forwards routing packets to each other without modifying the actual packets, 
so the wormhole nodes never appear in routing tables. In contrast, PM nodes process routing packets 
as any pair of legitimate nodes and thus appear in a wormhole infected route as two contiguous nodes. 

Wormhole nodes can forward routing packets to each other using either an in-band (I-B) or 
out-of-band (O-B) communication link. I-B tunnels packets between the malicious nodes via genuine 
network nodes so it is easy to launch, while the O-B link is more complex because it requires an 
external communication channel, i.e., network cable or directional antenna, to establish a direct link 
between the wormhole nodes. 

Designing effective and robust wormhole detection schemes means considering all four modes 
with each mandating different requirements upon the detection mechanism. Various detection 
strategies have been proposed and these can be broadly classified into: (z) neighbour validation and 
(ii) end-to-end techniques. 

Neighbour validation schemes like packet leashes [3] and [5] are only effective for HM wormhole 
attacks because they rely on every node checking the validity of its neighbours and since PM wormhole 
nodes appear as legitimate neighbours in a route, they can avoid being detected by simply ignoring the 
validity check. Other schemes like statistical wormhole apprehension using neighbours (SWAN) [6] 
identify a wormhole by the number of neighbours, though this is only effective for HM wormholes 
since PM wormholes do not increase the number of neighbours for a legitimate node. 

In contrast, end-to-end detection techniques measure and analyse node activity and route features such 
as the geographical positions of nodes [7-11], the frequency of node appearances in routes [9-11], hop 
count (HC) information [12] or round trip time (RTT) of routing packets [13-16]. Such techniques are 
typically used to detect PM wormholes, but have a number of recurring limitations including, the 
inability to detect all wormhole variants, the requirement of dedicated hardware, reliance on certain 
MANET environments, and high computational overheads and/or bandwidth loads upon the network. 
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The traversal time and hop count analysis (TTHCA) algorithm is a new wormhole detection 
technique [17] designed as a security extension to the ad hoc on demand distance vector (AODV) [18] 
routing protocol. It combines the benefits of RTT-based approaches with HC analysis, to provide 
improved detection for all wormhole types, under a variety of network scenarios. RTT-based wormhole 
detection schemes, such as wormhole attack prevention (WAP) [13], transmission time-based mechanism 
(TTM) [15] and delay per hop indication (DelPHI) [14], offer low overhead solutions in terms of 
hardware, computation and throughput, but have the limitation that variations in a node's packet 
processing time i.e., the sum of the queuing delay and service time must be small. In a real MANET, 
nodes can exhibit high packet processing time variations, a feature the neighbour probe acknowledge 
(NPA) method [16] addresses by employing the standard deviation of the RTT as an accurate metric. 
NPA has not however, been tested in large scale networks and is inherently computationally heavier 
than either TTHCA or other RTT-based techniques because it uses encryption and time-stamped 
digital signatures to guarantee the security of the routing packets. In TTHCA, packet traversal times 
(PTT) are measured instead of the RTT of a routing packet, as this more accurately reflects the distance 
between a source and destination node. The corollary is that TTHCA affords significantly superior 
wormhole detection and lower false positive (FP) performance than RTT-based solutions, while 
concomitantly affording low computational overheads. 

A potential drawback of TTHCA is that under specific conditions, PM wormhole nodes can alter 
the time measurements and prevent the wormhole from being detected. In TTHCA, PTT is estimated 
by initially allowing each intermediate node to measure the packet processing time of the AODV route 
request (RREQ) and route reply (RREP) packets, before adding this measurement value AT to a ATtot 
parameter in the RREP packet. Upon receiving the RREP, the source node can calculate PTT by 
subtracting ATtot from the RTT. A wormhole is suspected if the PTT is unrealistically high in relation 
to the HC. By falsely increasing ATtot, a PM wormhole node can evade being detected because this 
results in a smaller PTT than is in fact, the case. Time tampering attacks are not relevant to HM 
wormholes because as mentioned above, they never process the routing packets. 

This paper analyses the time tampering problem and investigates its impacts on TTHCA wormhole 
detection performance. A solution is presented to accurately identify time tampering in PM I-B 
wormholes by introducing a AT Vector extension into the TTHCA algorithm. The AT Vector replaces 
the ATtot parameter in the RREP packet with a list of the individual AT values from all intermediate 
nodes. A malicious node must thus produce a falsely inflated AT in order to perform a successful time 
tampering attack. By using the AT Vector extension, a tampered AT can be accurately identified by the 
source node as it typically is significantly higher than a healthy AT. 

The remainder of the paper is organized as follows: Section 2 presents a brief overview of the 
TTHCA algorithm before Section 3 investigates time tampering attacks and the specific conditions 
necessary for this security breach to ensue. The new AT Vector extension is then introduced in Section 4 
and its performance analysed in Section 5 for diverse MANET scenarios. Finally, some concluding 
comments are provided in Section 6. 
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2. The Traversal Time and Hop Count Analysis (TTHCA) Algorithm 

In TTHCA, a source node firstly measures the RTT of the AODV route discovery packets, which is 
the time between sending the RREQ packet and receiving the RREP packet. Each intermediate node 
measures the processing time of the RREQ and RREP packets (AT t ) and this is added to the AT TO t 
parameter in the RREP packet. Hence, once a RREP packet is received by the source node: 

HC 

AT T0T =Y j AT i (1) 

i=l 



RTT — ATtot 



and the PTT is calculated from: 

PTT = — (2) 

A wormhole is then suspected if: 

PTT R 



HC > S (3) 

where R and S are respectively the maximum radio range per node and the propagation speed 
(ie.,3x 10 8 m/s). 

When a wormhole is suspected, all intermediate nodes on the route are added to a graylist [12] which is 
broadcasted throughout the MANET together with a new RREQ. All graylist nodes are then omitted during 
the next route discovery procedure resulting in a new unique route. Graylist broadcasting is repeated until 
a healthy route is found. 

3. Time Tampering in TTHCA 

The TTHCA wormhole detection algorithm is predicated on the assumption that a wormhole route 
will exhibit an unrealistically high PTT per HC. Wormhole nodes however, can potentially prevent 
TTHCA from detecting infected routes by adding a fictive packet processing time AT F to the ATtot 
parameter of the RREP packet. It is important to stress that time tampering is not a modification attack 
per se as the PM wormhole node never alters any routing packet parameters, but instead produces false 
measurement information. This means schemes designed to prevent packet alteration by for example, 
encrypting all routing packet parameters, will be ineffectual against a TTHCA time tampering attack. 

As a wormhole infected route has a high PTT/HC, the malicious nodes must artificially produce a 
lower PTT than in reality for that route to avoid detection and this can be accomplished by increasing 
AT TO t- Since AT TO t » PTT and AT t may incur large fluctuations due to for example, variable network 
traffic loads, it is difficult for the wormhole nodes to be aware of exactly how to set AT F as it must be 
precisely defined within the narrow time window that exists to effectively achieve time measurement 
tampering. This window is bounded by: 

R 

(RTT - A7 T0T - 2HC-) < AT F < (RTT - AT ror ) (4) 

So if the tampered AT F is too small, TTHCA is still able to detect the route as a wormhole because 
PTT/HC is higher than the threshold in Equation (3). Conversely, if AT F is made too high the resulting 
PTT at the source node will be negative. 
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Pragmatically it is not feasible for a malicious node to exactly know the time tampering window 
since it can only be aware of the values of R and S in Equation (4). Successful time tampering is still 
feasible however, if the malicious nodes (Mi and M2) can estimate the RTT of the wormhole link 
(RTT WH ). In an I-B link, RTT WH can have high variations due to variable packet processing times at the 
nodes through which the wormhole is tunnelled, making the precise estimation of RTT W h challenging. 
One approach for estimating RTT W h for PM wormhole links is to use tightly synchronized clocks. 
During route discovery, wormhole node Mi adds exact time information as an adjunct parameter 
within the tunnelled packet as it forwards the RREQ to the other malicious node M 2 . Upon receiving 
this tunnelled RREQ, M 2 estimates the precise propagation delay of the RREQ through the wormhole 
tRREQ by comparing the received time information with its own clock. A similar process occurs when 
M2 returns RREP to Mi, with time information again being added as the RREP is tunnelled to M 2 . 
When Mi receives the tunnelled RREP, it calculates Irrep to give: 

RTT WH = t RRE Q + t RREP (5) 
Mi then adds the fictive time value A7> defined as: 

AT F = RTT WH -2^ (6) 

to ATtot of the RREP in addition to its own AT",-. 

Alternatively, the wormhole nodes can split the time tampering attack into two steps. Firstly, M 2 
adds the fictive value: 

R 
S 

before Mi adds: 



AT F1 — t RRE Q — (7) 



R 

AT F2 — t RREP — — (8) 
So ATf = ATfj + AT E 2 is then added to ATtot- 

To illustrate the conditions that must exist for TTHCA time tampering to be achieved, consider the 
MANET example in Figure 1, where a PM I-B wormhole is formed by nodes Mi and M 2 which tunnel 
routing packets between each other via I 2 and I 3 . 

It is assumed for simplicity that all nodes are in an idle state, have identical hardware and the 
inter-node distance is the same, so the t t and AT} values are constant. Let U = 1,600 ns for all i and 
AT} = 8 ms for all j, where j = i + 1. If RTT WH = 16.0048 ms then RTT = 56.0112 ms. For this PM I-B 
scenario, the HC is 5 and ATtot = 40 ms, so from Equation (2), source node A calculates 
PTT = 8.0056 ms giving PTT/HC = 1.60112 ms. If it is assumed R = 250 m, then from Equation (3) 
the upper bound for PTT/HC = 833 ns which means TTHCA will successfully detect the wormhole. 
Using Equation (4), it can be determined that both I 2 and I 5 are able to prevent detection by increasing 
ATtot within the range: 

16.002867 ms < A7> < 16.011200 ms 
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This means the time tampering window is only 8.33 us wide and while this is a stringent constraint, 
if synchronized clocks are being used by both Mi and M 2 , it is still realistically an achievable 
design tolerance. 

Figure 1. MANET scenario where A and B are the source and destination nodes, Mi and 
M 2 are malicious wormhole nodes, is 2 x PTT between two successive nodes, AT, is the 
routing packet processing time, RTT is the round trip time of the route, and RTT W h is the 
RTT of the wormhole link. 




Analysis for a wide range of network and wormhole attack conditions reveals that a sufficient and 
necessary condition for a wormhole to avoid being detected is to uphold either Equations (6) or (7) and (8). 
In this PM I-B example, both Mi and M 2 will calculate A7> = 16.003133 ms which implies the tampered 
value falls within the window Equation (4) to avoid being discovered. In these circumstances, the false 
measurement ATtot = 56.003133 ms so from Equation (2), the source node A measures PTT = 4,033 ns 
and PTT/HC = 806 ns meaning this wormhole route will go undetected by TTHCA. 

4. AT Vector TTHCA Extension 

Section 3 showed that the essential condition for the TTHCA algorithm to be unable to detect a 
wormhole route is for the malicious nodes to increase AT TO t within the strict bounds defined in 
Equation (4). Any successful tampered ATtot will always be greater than the actual ATtot though 
simply analysing ATtot as a sum of individual A J", values will not necessarily identify the wormhole 
route because these usually exhibit high variance. 

In this paper, to analyse AT t for each intermediate node, ATtot is replaced by a new AT Vector 
comprising all the measured AT values. This extension means that some new features for the TTHCA 
route discovery process are introduced to support the embedding of the AT Vector as shown in the 
Figure 2 flowchart, with the shaded blocks highlighting these new elements. 

The RREQ and graylist broadcast procedures remain as in original TTHCA [17], but instead of 
using a ATtot parameter, the AT Vector is included in the RREP packet by the destination node. The 
time taken from receiving the RREQ until sending the RREP at the destination node is added as the 
first element ATj. Each intermediate node receiving and forwarding the RREP then adds its AT 
(ATrreq + AT RR ep) as a new element in the AT Vector. 
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When the RREP is received by the source node, each AT", element of the AT Vector consists of the 
processing times incurred by the RREQ and RREP packets. If a PM wormhole attack is launched 
alongside a time tampering attack, at least one of the AT Vector elements will be falsely increased in 
accordance with Equations (6), (7) and (8). A suitable outlier detection technique can then be applied 
to identify tampered AT t values (see Section 4.1) from the AT Vector dataset. If a suspicious AT is 
identified, TTHCA then requests a new route by issuing a graylist broadcast. If no suspicious AT", is 
found, the normal PTT/HC analysis is performed for both HM and PM wormhole detection. 

Figure 2. TTHCA route discovery with the AT Vector extension (RTT= round trip time, 
RREQ= route request, RREP = route reply, AT = packet processing time, PTT = packet 
traversal time, HC = hop count, R = radio range, S = propagation speed). 
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4.1. Identifying Tampered AT { Measurement 



The A7 Vector extension is founded on the premise a malicious node can only modify its own AT",- 
which is a pragmatic assumption since in real MANET environments routing packets must be secured 
from modification attacks for the routing process to be trustworthy. A wormhole link typically consists 
of two malicious nodes, so a AT Vector received through any wormhole infected route will include 
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either one or two tampered AT values. It is possible to distinguish tampered AT values from healthy 
ATi measurements by applying an appropriate outlier detection technique, such as the Grubb's test [19], 
Dixon's Q-test [20] or the Box plot method [21], though several conditions can affect the performance of 
the chosen outlier method. In this context, two distinct MANET scenarios are defined: 

CASE 1: A node has been a part of the network for some time and generated a track record of AT; 
values gained from AT Vectors from earlier route discovery procedures. In this scenario, the 
availability of a large number of A J", samples can be reasonably assumed. 

CASE 2: A node has joined the MANET for the first time and so the only available AT values are 
those existing in the AT Vector. 

Due to the inherently dynamic nature of a MANET, several different types of AT, distributions can 
arise which will impact on the performance of the outlier detection scheme. The ideal is when all 
MANET nodes have identical hardware and the network traffic loads are low. Such a condition would 
result in negligible AT variations and time tampering is then straightforward to detect. This is not 
however, a realistic MANET situation because there are a myriad of factors which can cause AT; 
variations. For example, mixed node processing capacities and packet service times, allied with high 
network traffic loads in certain parts of the MANET can lead to queuing delays at specific nodes. 

In a heterogeneous MANET consisting of uniformly distributed nodes where the network traffic 
load is low and there are no queuing delays, the AT values can be assumed to follow a linear 
distribution. In MANETs with high network traffic load variations however, some of the AT values 
will include queuing delays which will be much greater than the actual packet service times [22]. The 
AT values will then tend to follow a nonlinear distribution where a small portion of the AT values are 
significantly higher than the average. For such a distribution, it is very challenging to discriminate a 
tampered from a normal AT value as a modified AT can potentially be lower than a healthy AT if the 
tampered measurement contains no queuing delay, while the healthy AT does. 

The outlier detection method selected for time tampering detection purposes must therefore be 
applicable to both large and small AT datasets i.e., CASE 1 and CASE 2 respectively, as well as for 
both linearly and non-linearly distributed measurements. 

5. Performance Analysis 

The performance of the AT Vector extension has been rigorously analysed using the Dixon Q-test [20] 
as the outlier detection technique to identify tampered AT values for a PM I-B wormhole infected 
route. The Q-test was chosen because of its simplicity and applicability to small and large datasets, 
making it appropriate for both the CASE 1 and CASE 2 scenarios. While the Q-test is only capable 
per se of detecting a single outlier, it can be applied to detect either one or two tampered AT values 
provided the right-tailed variant is used to separately test the two largest A 71 values. The outlier test is 
thus performed by first ranking the AT vector in order and then respectively calculating two Q values: 



AT, 



HC 



-AT, 



HC-l 



Qi = 



AT HC -AT X 



(9) 



AT, 



HC-l 



-AT, 



HC-2 



Qz = 



AT, 



-AT X 



(10) 



HC-l 
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Time tampering is suspected if either Qi or Q 2 is greater than the corresponding critical Q-value for 
the chosen confidence level. For this analysis, a low confidence level (80%) has been chosen, since 
from a security perspective, a higher time tampering detection rate is preferable to a low FP detection. 

Both the time tampering and FP detection performance for the AT Vector extension were analysed 
using a custom designed tool which simulated differently sized AT Vectors to reflect variable HC 
routes. ATi values were produced by randomly generating packet processing times for each node, with 
variable inter-node distances considered for each route. 

The operating system (OS) for each MANET node was assumed to support multiprogramming with 
a scheduler assigning equal time slices to each process in rotation. Such an OS approximately 
implements processor-sharing so a logical processor executes each multiprogrammed task, with the 
processing capacity of a logical processor being the ratio of the physical processor capacity and the 
multiprogramming level. While nodes will typically have different physical processing capacities and 
multiprogramming levels, the equivalent multiprogramming level for each node will be relatively 
stable. A MANET having logical processors with diverse, yet stable processing capabilities is thus 
assumed to handle routing packets, so the corresponding packet service times for each node is assumed 
to be constant. Many concurrent route detection procedures can lead to routing packet queues in 
MANET nodes, since received routing packets must be sequentially processed to uphold route table 
updating requirements. For this reason, the packet processing times (ATrreq/rrep) have been generated 
using the M/D/l queuing model [23], which assumes Pois son-distributed packet arrivals, deterministic 
service times of routing packets, a single central processing unit and an infinite maximum queue 
length. Hence, at each node: 



where T s and p are the routing packet service time and network traffic load upon a node respectively. 
Variations in both node processing capacity and multiprogramming level are reflected by using 
random Ts values from a linear probability distribution of different intervals denoted by the relative 
standard deviation (g r ), which is the standard deviation of all the packet service times divided by their 
average. Variable network traffic loads between nodes are mirrored by randomly selecting p on each 
node within the interval 0 <p< pma X , where p max is the maximum network traffic load per node. 

Time tampering detection performance for the CASE 1 and CASE 2 scenarios will now be 
respectively considered, where time tampering attacks on TTHCA are simulated in accordance with 
Equations (7) and (8). Note that the results presented relate solely to the AT Vector time tampering 
detection performance of the TTHCA algorithm, and not to the wormhole attack detection rates, which 
have already been rigorously presented in [17]. The simulation parameter settings used throughout the 
experiments are given in Table 1, with a detailed description of the customised simulation tool being 
provided in Appendix A. 



ATrreq/rrep = queuing delay + T s = 



2(1 -p) 



(ID 



Sensors 2013, 13 



6660 



Table 1. Simulation parameter settings. 



Parameter 




Settings 


Distance between two successive nodes (d) 
Packet propagation speed (5) 

Routing packet service time per node distribution (T s ) 

Routing packet processing time per node distribution 

{^■Trkeq/rrep) 

Network traffic load per node distribution (p) 
Route HC 

Number of samples per test case 
Wormhole attack type 
Time tampering attack 


Randomly set: 150 m-250 m 
3 x 10 8 m/s 

Randomly chosen from linear probability 
distributions for variable a R 

f^alpiil a \p*(\ from Fn n a ti c\x\ (\W 

V^alLUlaltU 1HJJ.11 J—/LJ U.O.IHJ11 V^l 1 ) 

Randomly 0 <p < p max for variable p max 

Randomly set: 3-15 

100,000 

PMI-B 

Launched according to Equations (7) and (8) 



5.1. CASE 1: MANET Nodes with AT Track Records 



In the first series of experiments, the situation where a node has been in the MANET for a period of 
time is analysed and there are at least 15 AT, values available. Figure 3 shows the impact of variations 
in both routing packet service time (a R ) and network traffic load (p mca ) upon the time tampering 
detection performance for different wormhole lengths. 

The results reveal that for the ideal case where AT is constant, so all nodes have identical hardware 
and multiprogramming level (cr R = 0), and each node carries negligible network traffic load (p max = 0), 
then 100% time tampering detection is achieved for all wormhole lengths with no corresponding FP 
being detected (see Figure 4). Predictably, as variations in AT t increase, the detection rate falls and FP 
increase, though the time tampering detection rate is still at least 86% for all wormhole lengths 
analysed even when a R = 0.35 and p max = 0.6. 

For wormhole lengths >5 hops, at least 94% of tampered AT, values can be successfully detected 
under all conditions when or = 0.5 and p max = 0.9, with the detection rate being 87% for a wormhole 
HC of 5. A notably aspect of the performance of the AT Vector extension, is that a minimum of 74% of 
tampered AT values can still be detected even when the wormhole HC is 4. Pragmatically, this means 
that successful time tampering in wormholes >4 hops will be extremely difficult to achieve since the 
probability of avoiding detection is less than 30%. 

For 3 HC wormholes, the time tampering detection performance drops markedly when there are 
variations in either network traffic load or routing packet service times, because a healthy node can 
then often produce a higher AT than a tampered AT. This reflects the situation of when heavy network 
traffic loads (p » 1) unavoidably cause longer queuing delays and/or high multiprogramming levels 
lead to increased service times for routing packets. In contrast, the wormhole nodes and those nodes 
through which routing packets are tunneled may continue to have negligible loads (p » 0) and 
correspondingly short packet service times. 
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Figure 3. Time tampering detection performance for different wormhole HC for variable 
network traffic loads (p max ) and routing packet service times (<tr) with at least 15 AT t 
samples available. 
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Figure 4. FP detection for different wormhole HC under variable network traffic loads 
(Pmax) and routing packet service times (cr#) with at least 15 AT, samples available. 
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Despite this decline in performance, tampered AT values can still be detected with an accuracy of 
57% for 3 HC wormholes, when or = 0.5 and p max = 0.9. This still characterises a noteworthy 
enhancement to TTHCA, especially when cognisance is made of the stringent criteria necessary to 
launch a time tampering attack in the first instance. 

The corresponding FP detection rate remains «20% for the or range considered, provided p max < 0.6 
because the Q-test compares the difference between the two largest AT values in relation to the 
difference between AT max and AT M m which will be approximately constant, regardless of the interval, 
provided the AT values are linearly distributed. When p max = 0.9, the FP rate rises because the queuing 
delay of a node increases rapidly as p tends to 1, and the AZi distributions are no longer linear. This 
means that a AT t value produced by a node with a high network traffic load can easily become 
confused with a tampered AT. Realistically however, even a FP rate of «30% is still a satisfactory 
outcome since FP detection does not automatically mean that a route between a source and destination 
node cannot be established, but rather that an alternative route must be chosen other than the shortest 
path in terms of HC. 

5.2. CASE 2: MANET Nodes without AT Track Records 

The second set of experiments analysed the situation when a new node joins the MANET and 
requests a route for the first time. The same conditions are employed as in Section 5.1, though now it is 
assumed that only between three and 15 AT, values are available for the node requesting the new route, 
since there is no a priori knowledge about previously measured AT values. The corresponding time 
tampering detection results are displayed in Figure 5. 

The absence of any track record meant that detection performance was not as consistent as CASE 1, 
though a time tampering detection rate of >80% has still been achieved for all wormhole HC when 
or < 0.2 and p max < 0.6. For wormholes >5 hops, at least 68% of tampered AT values were correctly 
detected even when or = 0.5 and p max = 0.9. The equivalent FP detection rates displayed in Figure 6, 
were slightly higher than in CASE 1 for p max < 0.6 for example, and performance was more sensitive to 
high network traffic load variations (p max = 0.9) due to the smaller number of AT, samples. 
Nevertheless, even a FP rate of 45% when p max = 0.9 can still be deemed acceptable as more than half 
of all possible routes are available. 

The time tampering detection performance is thus less robust in CASE 2 when no AT track record is 
available, though this does represent the worst possible MANET situation, when a new node performs its 
first route discovery procedure. As a node runs the route discovery procedure more often, the 
corresponding time tampering detection rate will quickly improve and converge towards the results 
presented for CASE 1. This infers that to strengthen the time tampering detection performance for new 
nodes, it is prudent to run a few route discovery procedures before starting to communicate within the 
network. This could for instance, be accomplished by specifying within the routing protocol that a node is 
not allowed to communicate within the network until it has collected a minimum of 15 AT samples. 
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Figure 5. Time tampering detection performance for different wormhole HC under 
variable network traffic loads ip ma x) and routing packet service times {or) for 3 < AT t 
samples <15. 
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Figure 6. False positive detection for different wormhole HC under variable network 
traffic loads (p max ) and routing packet service times (<t r ) for 3 < A J", samples < 15. 
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5.3. Network Overheads and Computational Complexity 

One of the consequences of the AT Vector extension is a larger RREP packet as it must contain the 
individual AT values of all intermediate nodes of a route, while the original TTHCA mechanism only 
requires the sum AT TO t- The size of the AT Vector is dependent on the route HC, so if for example each 
AT value is represented by 32 bits, then on a route from a source node S to a destination node D with 
intermediate nodes Ii and h, RREP will comprise a AT Vector length of 32 bits, 64 bits and 96 bits 
when respectively received by I2, Ii and S. This contrasts with the corresponding RREP packet in the 
TTHCA algorithm which will have a 32 bits ATjot value for each node. While a AT Vector with more 
than one element theoretically increases the transmission and reception time requirements for the 
routing packet, when cognisance is taken of the high bandwidths available in modern wireless 
technologies, the extended RREP packets will have negligible impact upon performance. 

A second ramification of the AT Vector extension is the increased FP detection rate. From the 
network performance perspective, this means that the shortest route in terms of HC is not always 
available, as highlighted in both Sections 5.1 and 5.2. This does not necessarily imply decreased 
performance in terms of route delay since FP detection can in many cases lead to a positive outcome as 
routes with intermediate nodes with very high traffic loads will be omitted. 

A formal complexity analysis for the new AT Vector extension reveals the only supplementary cost 
incurred compared with the original TTHCA algorithm is the outlier detection scheme performed by 
the source node. If the Dixon Q-test is used as the outlier method, the only extra computations needing 
to be performed relate to the ranking of AT Vector values. Since the AT Vector length equals the route 
HC, the time complexity for ranking is 0(HC ). This ranking however, can be implemented as a linear 
search of 4 AT values, since the Q-test only uses the three largest and the smallest AT value. This 
results in a time complexity for the new AT Vector extension of O(HC), which is the same as TTCHA [17]. 
The corresponding FP performance of AT Vector extension also needs to be analysed because these are 
identified even when there are no errors in the measured node processing times. If the probability of a 
FP is p, then the probability of i FP occurring before a healthy route is located will be (l—p)-pi. The 
average number <i> of route discovered before a healthy route can therefore be expressed as p/(l-p). 
So for p < 0.5, on average up to one FP will be discovered before a healthy route is identified for the 
AT Vector extension. The worst case in a single wormhole MANET is thus, on average three algorithm 
executions when a wormhole infected route is found before a healthy route is located. In contrast, the 
impact of FP on the TTHCA algorithm is less problematic because a FP is only identified when there 
are time measuring errors [17]. 

In summary, this formal analysis has shown the new AT Vector extension has the same linear time 
complexity as the original TTHCA algorithm, with the rider that because of FP occurrences, one 
additional execution cycle of the AT Vector extension may be necessitated, though this still affords a 
very effective lightweight protection mechanism against time tampering for TTHCA. 

6. Conclusions and Future Research 

The traversal time and hop count analysis (TTHCA) algorithm is a MANET wormhole detection 
technique, introduced as an extension to the ad hoc distance vector (AODV) routing protocol. A latent 
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security threat to TTHCA is that as each intermediate node and the destination node measures the 
packet traversal time, a participation mode (PM) wormhole node can potentially provide false 
measurement values and avoid detection. This paper has analysed the conditions for a time tampering 
attack and proposed a security mechanism for TTHCA called the AT Vector extension for detecting 
false time values in PM in-band (TB) wormholes. This requires the destination node and each 
intermediate node to add their individual processing times of the route request (RREQ) and route reply 
(RREP) packages (AT) to a vector parameter in the RREP instead of using a single total packet 
processing time parameter (ATtot) as in the original TTHCA algorithm. This makes each individual 
AT", measurement available for a node requesting a route and suspicious AT, values caused by PM I-B 
wormhole nodes can thus be identified by an outlier detection method. The AT Vector extension offers 
a notable security enhancement to the original TTHCA wormhole detection algorithm by providing an 
effective time tampering detection mechanism for PM wormholes, while retaining many of the smart 
features of TTHCA, particularly being a low-cost algorithm in terms of both computational complexity 
and network overheads. 

In terms of future research, minimisation of false positive (FP) detections incurred by the AT Vector 
extension is an important objective. The FP rate can potentially be decreased by not including nodes 
suspected of time tampering to the graylist, since a high AT caused by time tampering is permanent 
compared with a temporarily high AT due to queuing delays. An alternative strategy is to choose a 
higher confidence level for the outlier detection, though this will proportionally reduce the corresponding 
time tampering detection performance of the AT Vector mechanism. 
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Appendix A 

Custom Tool for Simulating Different Sized AT Vectors 

This section investigates the software tool used to generate the simulated AT values, with all 
variables with their initialised values being displayed in Table Al. To enable the interested reader to 
faithfully reproduce this tool, the documented pseudo-code showing the creation of a AT Vector 
during both the RREQ broadcast and corresponding RREP response phases is provided in Tables A2 
and A3 respectively. 



Table Al. Variables used in the simulation tool and their initial values. 



HCwh - user defined 


Wormhole length (number of hops) 


HC= [3,15] 


Randomly chosen for each route. 

Includes both the actual route HC and HCwh 


tRREQ - 0 


Tunnelling delay of RREQ through wormhole link 


tRREP — 0 


Tunnelling delay of RREP through wormhole link 


M, = 1 


Malicious node #1 


M 2 - Mi + HCwh 


Malicious node #2 


i = l 


AT Vector index 



Table A2. Routing packet processing delay generation and malicious node time tampering 
estimations during the RREQ broadcast phase. 





Description/motivation 


FOR / = 1 to HC: 


/ = 1 is the first intermediate node and / = HC is the 
destination node 


P=[0, Pmax] 


Random traffic load assigned for each node 


T s _i = randomly chosen from a linear distribution 
with user defined relative standard deviation (<7r) 


Every node (I) is assigned a random packet service time. 


&T RRE q_: calculated according to Equation (11) 


RREQ processing time at each node calculated 
according to the M/D/l queuing model. 


d] = random between 150m and 250m 


Distance between node / and 1-1 


IF / > Mi AND I<M 2 THEN 

tRREQ = tRREQ + d/S + ATrreq.; 


RREQ tunnelled propagation delay through the 
wormhole is the sum of AT RRE q.i at each intermediate 
node and PTT between Mi and M 2 . 


TF I = M 2 THEN 

tRREQ = tRREQ + d/S 
AT F 2 = t RRE Q + R/S 


PTT between / (M 2 ) and 1-1 is added to t RRE Q and M 2 
calculates AT F i to be added to its AT t when it receives 
the corresponding RREP. 


END FOR 
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Table A3. Routing packet processing delay generation, time tampering and generation of 
the AT Vector during the RREP response phase. 



Code Section 


Comments 


FOR/=HC to 7: 


As it is a RREP broadcast, the iteration starts at / = HC. 


P=[0, P„,ax] 


Random traffic load is assigned for each node to reflect a 
potential change in network traffic conditions between 
processing RREQ and RREP. 


AT RREP _i calculated according to Equation 
(11) 


RREP processing time at each / follows the M/D/l 
queuing model. Since the service time of both RREQ and 
RREP is assumed constant, T s ./ from Table A2 is used. 


AT 1 ,- = AT RRE q_i + AT RREP _i 


Processing delays of both RREQ and RREP added to the 

AT Vector (AT) 


IF / < M 2 AND I>Mj THEN 

tRREP = t RRE p + d/S + AT RREP .j 


RREP tunnelled propagation delay through the wormhole 
is the sum of all AT RREP at intermediate nodes and the PTT 
between M 2 and M t . 


Tnprpmpnt i 

±1 1C 1 V- 1 1 1 11 f 


If / is a legitimate intermediate node then AT Vector index 

Ik? 1 1 1<- 1 ^ 1 1 IV- 1 1 l 1 ^ . 


TFI = M 2 THEN 

tRREP = t RR EP + d/S 

ATi = ATi + A7> 2 


The PTT between / (M 2 ) and 7-7 is added to t RREP and M 2 
increments its entry in AT Vector with A7> 2 which was 
calculated during the RREQ broadcast process. 


IF / = M, THEN 

AT F i = t RR Ep + R/S 
ATi = Ar ; + A7>j 


Mi calculates AT Fl with which ATi is incremented. 


END FOR 
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